CVE-2018-7536

Sažetak

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

Reference

http://www.securityfocus.com/bid/103361
https://access.redhat.com/errata/RHSA-2018:2927
https://access.redhat.com/errata/RHSA-2019:0051
https://access.redhat.com/errata/RHSA-2019:0082
https://access.redhat.com/errata/RHSA-2019:0265
https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2
https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16
https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8
https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html
https://usn.ubuntu.com/3591-1/
https://www.debian.org/security/2018/dsa-4161
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:N/A:P

Zadnje važnije ažuriranje

07-12-2023 - 22:15

Objavljeno

09-03-2018 - 20:29